Lucene search

GoogleOSV:GHSA-58M3-RCVP-F9WW

HistoryJun 27, 2024 - 9:32 p.m.

h2o vulnerable to unexpected POST request shutting down server

2024-06-2721:32:08

Google

osv.dev

h2o-3

version 3.46.0

vulnerability

server shutdown

denial of service

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

JSON

In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service.

References

github.com/h2oai/h2o-3

huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458

nvd.nist.gov/vuln/detail/CVE-2024-5979

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

JSON

Related for OSV:GHSA-58M3-RCVP-F9WW